CN101192928B - Mobile ad hoc authentication method and system - Google Patents

Abstract

The invention relates to the communication field and discloses an authentication method, a network and a system of mobile ad hoc network, which ensures the realization of layer distribution type authentication scheme of cluster mobile ad hoc network; and the requirement on computer processed resources is rational, which can be realized in practical application environment. The invention adopts a group network structure of cluster mobile ad hoc network and advocates layer distribution identity authentication scheme; and the inter-cluster communication used an improved new threshold group signature protocol which improves the original threshold group signature method based on GQ and decreases power index calculation times, improves calculation parallelism and reduces the requirement on processed resources; at the time of initialization, a certificate and a sub key are issued by the system uniformly; cluster heads which have enough numbers of sub keys can jointly recover system keys, thereby carrying out the group signature to issue certificates to new added nodes and using multi-leap serial communication for realizing united group signature.

Description

The authentication method of mobile ad-hoc network and system

Technical field

The present invention relates to the communications field, particularly the layered distribution type identity verification scheme of mobile ad-hoc network.

Background technology

Mobile ad-hoc network (Mobile Ad Hoc Network, be called for short " MANET "), be called mobile ad hoc network again, be a kind of special mobile network who does not have wired foundation structure to support, the no base station multi-hop that it is made up of one group of portable terminal that has a wireless transceiver goes on foot provisional autonomous networks system.The foundation of this network is quick, flexibly, be not subjected to the constraint of cable network, it is mainly used in military battlefield, flood fighting and puts out a fire, can't connect up etc. under the special and urgent environment, and has the more unexistent characteristics of general communication network: the self-organization of network; Dynamic network topology structure; The limited wireless transmission bandwidth; The limitation of portable terminal; The multi-hop of route; Vulnerable or the like.Because its special applications, MANET has become the research focus of wireless communication field, and perfect security mechanism then is the important prerequisite that it is used.

Mobile ad-hoc network refers to a kind of micro radio local area network (LAN) at the beginning of occurring.Do not need between the node of this small-sized local area network (LAN) just can directly realize point-to-point communication through base station or other management and control equipment.And when causing realizing that link directly connects owing to power or other reason between two communication nodes, other node can help repeating signal in the net, to realize the intercommunication mutually of each node in the network.Because radio node is moving at any time, therefore this topology of networks also is dynamic change.Communication pattern between them also just can't directly be indiscriminately imitated the communication pattern of the communication network that infrastructure is arranged at present.

The networking of self-organizing network has dual mode: planar structure and hierarchy.In the planar structure, all nodes equal is so be called equation structures again.And in the hierarchy, network is divided into bunch.Each bunch is made up of a bunch of head and a plurality of member node.Professional forwarding between a bunch node is responsible for bunch.In planar structure, each node all needs to know the route that arrives other all nodes.Because the mobility of node safeguards that the routing iinformation of these dynamic changes needs a large amount of control messages.Network size is big more, and the expense of route maintenance and network management is just big more, and the expandability of network is relatively poor.Hierarchy has overcome the shortcoming of planar structure expandability difference, and network size is unrestricted.In the hierarchy, the function of bunch head is stronger relatively, and the function of ordinary node is fairly simple, does not need to safeguard route basically.This has significantly reduced the quantity of route control information in the network.In addition, hierarchy is easy to realize the mobile management and the service quality that ensures communication service of node.Therefore, also need provide the certain appropriate to the occasion employing hierarchical network of service quality guarantee structure when network size is big.

Network security is a big problem in the self-organizing network.One of characteristics of Ad Hoc network are exactly that fail safe is relatively poor, are subject to eavesdropping and attack.Therefore, need research to be applicable to the Security Architecture and the safe practice of Ad Hoc network.At present secure context mainly concentrate on research, message authentication and the integrity techniques research etc. of wired encryption, cipher protocol security analysis and attack method several aspect.

In the mobile ad-hoc network, be the important component part that guarantees the network operate as normal to the authentication of mobile subscriber identifier, authentication can prevent impersonation attack effectively.Traditional network needs the authentication center of a trust that cipher key management services is provided usually, but mobile ad-hoc network is an acentric distributed network, and all users are equality.And because the dynamic change of topological structure, the network user also presents certain fluidity, can't guarantee that certain user can serve as trusted party regularly.Particularly when mobile ad-hoc network was used for military purposes, single trusted party can become the key point of network, had reduced the survivability of network.

As previously mentioned, when the scale of mobile ad-hoc network was bigger, the authentication mechanism of simple plane network can not satisfy the authentication demand of network.Since based on bunch network configuration than planar network structure many advantages are arranged: sub-clustering has promoted reusing of space resources, has greatly improved the capacity of system; Sub-clustering can reduce the broadcast packet when seeking route; Sub-clustering can reduce the total amount of the message that broadcast topology upgrades in network; Sub-clustering can be strengthened network management and reduce rank and file's the calculating and the demand of storage capacity.Therefore the hierarchical network architecture of sub-clustering more is applicable to mobile ad-hoc network.For sub-clustering MANET network configuration, need the support of layered distribution type identity verification scheme.

When the scale of mobile ad-hoc network was bigger, network need carry out with different levels management, and the authentication mechanism of simple plane network can not satisfy the authentication demand of network, and the distributed authentication of layering is a kind of good solution.Existing certificate scheme is many based on GQ thresholding signature and Hash chain authentication method.

The Threshold Group signature is one of main research contents of threshold cryptography, is proposed by scholars such as Desmedt at first.Existing digital signature scheme mainly is divided into based on discrete logarithm cryptographic system and rsa cryptosystem system two big classes, and it is a kind of that the GQ scheme belongs to the back, i.e. a difficult problem of decomposing based on big integer.After the GQ signature scheme proposes, obtained paying close attention to widely.

Although the GQ signature scheme has been received more concern, seldom about the paper of GQ thresholding signature.This mainly is that its fail safe is based on the difficult problem that big integer decomposes because the GQ signature is belong to the threshold RSA signature a kind of.At first, decompose for the factor of the modulus N of protecting RSA, the member of the signature that can not let on knows Secondly,

Not the territory, can not share signature key d with the way that general secret is shared.Liu has proposed a kind of Threshold Group-signature Scheme based on the GQ signature in 2003, detailed step is as follows:

Starting stage: make n=pq, m=p ' q ', and p=2p '+1, q=2q '+1, p, q, p ', q ' they are big prime numbers.Q _nBe z _n ^*In the set of all quadratic residues, g is Q _nA generator.Q as can be known _nRank are m, all computings all the set Q _nAmong, and power operation is at Z _mAmong.Choose one wantonly at Z _mOn polynomial f (x)=a _tx ^t+ ...+a ₁X+a ₀, order $s=g^{a_0}\mathrm{mod}n$ Be master key, s _i=g ^{F (i)}Mod n distributes to each user P _iSub-key.Suppose to have in the network l user, make L=l! Select an integer e at random, with L ²Coprime, and calculate v=1/s ^eMod n.Parameter (n, g, e, v, L) open, other is maintained secrecy.

The part generation phase of signing:

A. at first all users carry out key agreement protocol one time.Each user P _iSelect at random one multinomial

Formula f _i(x)=a _Itx ^t+ ...+a _I1X+a _I0, calculate f _i(j) and $A_i=g^{a_{i0}e}\mathrm{mod}n,$ And be broadcast to other user, j ∈ 1 ..., l}.Each user obtains share separately $f_r\left(i\right)=\underset{j=1}{\overset{l}{\mathrm{\Σ}}}{f}_j\left(i\right),$ And calculate $r_i=g^{f_r\left(i\right)}\mathrm{mod}n,$ Here $f_r\left(x\right)=\underset{i=1}{\overset{l}{\mathrm{\Σ}}}{f}_i\left(x\right).$ And all users obtain common parameter $y=\underset{i=1}{\overset{l}{\mathrm{\Π}}}{A}_i=g^{f_r\left(0\right)e}\mathrm{mod}n.$

B. all users carry out key agreement protocol once more one time.In current the negotiation, each user P _iOptional multinomial constant term is 0, i.e. f _i(x)=a _Itx ^t+ ...+a _I1X calculates f _i(j) and be broadcast to other user.Each user obtains share separately $f_c\left(i\right)=\underset{j=1}{\overset{l}{\mathrm{\Σ}}}{f}_j\left(i\right),$ And calculate $c_i=g^{L{f}_c\left(i\right)}\mathrm{mod}n,$ Here $f_c\left(x\right)=\underset{i=1}{\overset{l}{\mathrm{\Σ}}}{f}_i\left(x\right).$

C. all users all calculate σ=H (y, M), wherein M is the message that will sign, H (.) is unidirectional hash function, and calculates part signature separately $z_i={\left(r_i{s}_i^{\mathrm{\σ}}\right)}^L{c}_i\mathrm{mod}n.$

Threshold Group signature generation phase:

A. when the user more than t+1 agreed to sign, t+1 user cooperated arbitrarily, calculated $z^{\′}=\underset{j=1}{\overset{t+1}{\mathrm{\Π}}}{z}_{i_j}^{{\mathrm{\λ}}_{i_j}L}\mathrm{mod}n,$

Be any t+1 user's signature,

It is corresponding Lagrange interpolation coefficient.

B. there are integer a and b, make L ²A+eb=1 calculates z=z ' ^a(y/v ^σ) ^bMod n.The signature be exactly (z, σ).

Group's signature verification stage: the verifier calculates y '=z ^ev ^σMod n.If σ=H (y ', M), signature is effectively.

The authentication method of the Hash chain that another efficient is higher can improve the service efficiency of key, and Neumann has proposed to adopt the method HORSE of a plurality of Hash chains as key, rather than only uses a pair of PKI and key, and this scheme detailed step is as follows:

Make that m is the message that will sign.Integer t and l are coefficient of safetys, make that T is 0 to the set of the integer of t-1.Choose a strong one-way function H (), the number conversion of random length of input can be become k the integer less than t-1, just klog ₂T≤| H () |, here | H () | be expressed as the binary system length of Hash function H () output.F () also is a Hash function.Select t the value s that the l position is long _{＜0,0 〉}, s _{＜0,1 〉}..., s _{＜0, t-1 〉}, and constituting t the Hash chain that length is d with them, these Hash chains are used as key.Initial key SK ₀With PKI PK ₀Be respectively:

SK ₀＝(s ₀，s ₁，...，s _t-1)＝(s _<d-1，0>，s _<d-1，1>，...，s _<d-1，t-1>)

PK ₀＝(v ₀，v ₁，...，v _t-1)＝(f(s _<d-1，0>)，f(s _<d-1，1>)，...，f(s _<d-1，t-1>))＝(s _<d，0>，s _<d，1>，...，s _<d，t-1>)

S wherein _{I, j}=f ⁱ(s _{＜0, j 〉}).Definition u is the sequence number of key in the Hash chain.The foundation of Hash chain as shown in Figure 1.

During signature, signer calculates h=H (m) earlier, and h is divided into k length l og ₂Word string { the h of t ₁, h ₂..., h _k, and with h _j(1≤j≤k) converts k integer i to _j(1≤j≤k), and according to the current key that has shown, the signature of m is exactly

Suppose that PKI is (v ₀, v ₁..., v _T-1), and sequence number calculates since 1.Signature

Be exactly (s _{＜d-u, 0 〉}, s _{＜d-u, 1 〉}..., s _{＜d-u, t-1 〉}) a subclass.When verifying this signature, the verifier calculates word string { h in the same way ₁, h ₂..., h _k, convert integer i then respectively to _j(1≤j≤k), and checking ${\mathrm{<figure-callout\; id="1"\; label="v\; i"\; filenames="H061G2694420061212E000011.png,H061G2694420061212E000021.png"\; state="\{\{state\}\}">v</figure-callout>}}_{i_{}}=f^u\left(s_{i_1}\right),$ ${\mathrm{<figure-callout\; id="2"\; label="v\; i"\; filenames="H061G2694420061212E000011.png"\; state="\{\{state\}\}">v</figure-callout>}}_{i_{}}=f^u\left(s_{i_2}\right),$ ...， $v_{i_k}=f^u\left(s_{i_k}\right)$ Whether set up.If these equatioies are set up, then checking is passed through.

Signature is each to use k key, and corresponding t the key of each sequence number.After the key major part of a certain sequence number was used, sequence number added 1, and key is pushed ahead.

In actual applications, the Threshold Group-signature Scheme amount of calculation based on the GQ signature that exists following problem: Liu to propose is too big, and for the resource environment characteristics of mobile ad-hoc network, this scheme is not suitable for being applied to mobile ad hoc network.

According to the step of this GQ thresholding signature scheme, find out easily: at the generation phase of partly signing, all users in the network have carried out key agreement twice, and need to calculate 5l power exponential function; And, need to calculate t+4 power exponential function altogether at group's synthesis phase of signing; Need calculate power exponential function 2 times in group's signature verification stage.As seen very high for the requirement of computational resource, and the characteristics of mobile ad-hoc network are not have the strong network nodes of disposal ability such as base station, gateway, all nodes all are reciprocity, at most exist bunch head to have stronger disposal ability, so this scheme is difficult to be applied in practice the safety certification of mobile ad hoc network.

In addition, this GQ Threshold Group-signature Scheme is a kind of agreement at the general information signature, and in the layering certificate scheme of sub-clustering MANET, to be presented to the user to group signature as letter of identity, also will consider the confidentiality of letter of identity and reuse, so this scheme also exists not enough in this respect.

And above-mentioned second kind based on the certificate scheme of Hash chain if be applied in the mobile ad-hoc network authentication, two fatal problems will be had: at first, stationary problem is difficult to solve, cause synchronization attack easily, all nodes need pass through multi-hop communication in the mobile ad-hoc network, the informational needs that authentication is relevant carries out between all nodes synchronously, and this scheme requires too high to information synchronization, thereby has reduced network reliability and safety; Secondly, described Hash function H () output figure place is many, directly causes amount of calculation to increase, and similarly can challenge to the processing resource of MANET.

At last, scheme recited above all is to provide a kind of authentication method separately, lacks the overall plan of the layered distribution type authentication of sub-clustering mobile ad-hoc network, also needs a kind of layering certificate scheme that can use in actual mobile ad-hoc network environment.

Cause the main cause of this situation to be, above-mentioned two kinds of schemes have all only solved simple signature or authentication question, do not provide the complete layering certificate scheme at the sub-clustering mobile ad hoc network; And wherein, because the theoretical foundation defective of GQ thresholding signature scheme causes this scheme too big to the demand of computational resource; And can't realize too greatly owing to Hash function output figure place causes amount of calculation too much also that based on the HORSE method of Hash chain the mode of operation of its scheme is also too high to synchronous requirement simultaneously.

Summary of the invention

In view of this, main purpose of the present invention is to provide a kind of layering authentication method and system of mobile ad-hoc network, makes the layered distribution type certificate scheme of sub-clustering mobile ad hoc network be achieved.

For achieving the above object, the invention provides a kind of layering authentication method of mobile ad-hoc network, described mobile ad-hoc network adopts the section networking structure, and each bunch comprises leader cluster node, and communication comprises following steps via a bunch head between bunch:

System carries out initialization to all initial nodes, by new Threshold Group signature agreement, issues certificate, the sub-key of each node self for each node;

When new node adds fashionablely, according to its sub-key,, unite to this new node and issue certificate by described new Threshold Group signature agreement by the leader cluster node of defined amount;

Node according to described certificate by described new Threshold Group signature agreement carry out authentication, realize bunch between communication;

Wherein, described new Threshold Group signature agreement is the theoretical improved agreement of signing based on the GQ Threshold Group, comprise with the difference of described GQ Threshold Group signature: calculate 2t power exponential function at son signature generation phase, t is the number of members that participates in group's signature in the network, group's signature does not calculate power exponential function when synthetic, calculate 2 power exponential functions during signature verification, and the computing of part power exponent is carried out simultaneously in network or is carried out in advance.

Wherein,, at first determine following parameter: N, p, q, m, p ', q ', g, d, v, x, y and hash () by described new Threshold Group signature agreement, wherein,

N=pq, p and q are the big prime numbers of safety, and p ' and q ' are big prime number, and p=2p '+1, q=2q '+1, m=p ' q ' are arranged;

Use Z _N ^*The least residue system of expression N uses Q _NExpression Z _N ^*In the multiplication subgroup that constitutes of all quadratic residue numbers, $g\&Element;Z_N^{*}$ Be subgroup Q _NGenerator;

Picked at random d, v make it all coprime with m, and group cipher is x=g ^dModN, group's PKI is y, and x ^vY ≡ 1modN;

Hash () is selected strong one-way hash function mapping function;

By described new Threshold Group signature agreement, when initialization, the polynomial f () on the selected t-1 rank of system, its constant term d=f (0) modm is the root key of whole system, then sub-key s _i=g ^{F (i) modmmodN}Be distributed to each group members, 1≤i≤t, t is for participating in the number of members of group's signature; By described new Threshold Group signature agreement, when t member carried out group's signature arbitrarily, to given message M, each participated in group's signature member and selects an integer k at random _i, calculate and broadcasting

Each participates in group's signature member and calculates

(M R), obtains son signature separately to reach h=hash

By described new Threshold Group signature agreement, obtained t son signature c that participates in group's signature member by group's signer _iAfter, calculate

Generated group signature (c, h) and certificate (M, c, h);

By described new Threshold Group signature agreement, (when h) carrying out authentication, the verifier calculates R '=c for M, c according to described group's signing certificate ^vy ^hModN, and judge whether h=h (M, R ') sets up, if set up then the authentication success, otherwise the authentication failure.

The invention also discloses a kind of Verification System of mobile ad-hoc network, comprise:

All initial nodes are carried out initialization,, issue the certificate of each node self, the unit of sub-key for each node by new Threshold Group signature agreement;

The stated number destination node is used for adding at new node fashionable, according to sub-key, by described new Threshold Group signature agreement, unites to this new node and issues certificate; This new node carries out authentication, realizes communication by described new Threshold Group signature agreement according to the certificate of issuing;

Wherein, described new Threshold Group signature agreement is the theoretical improved agreement of signing based on the GQ Threshold Group, comprise with the difference of described GQ Threshold Group signature: calculate 2t power exponential function at son signature generation phase, t is a bunch number of participating in signature in the network, group's signature does not calculate power exponential function when synthetic, calculate 2 power exponential functions during signature verification, and the computing of part power exponent is carried out simultaneously in network or is carried out in advance.

Wherein, described mobile ad-hoc network adopts the section networking structure, and each bunch comprises leader cluster node, communicate by letter between bunch via a bunch head,

Uniting the described stated number destination node of issuing certificate to described new node all is leader cluster node.

By relatively finding, the main distinction of technical scheme of the present invention and prior art is, adopt sub-clustering mobile ad-hoc network networking structure, the layered distribution type identity verification scheme is proposed, bunch between adopt improved new Threshold Group signature agreement in the communication, this agreement has been improved original Threshold Group endorsement method based on GQ, reduces the power exponent calculation times, improve and calculate concurrency, reduce and handle resource requirement;

When initialization, issue certificate, sub-key by systematic unity, have separately bunch head that reaches some of sub-key and can unite the recovery system key, issue certificate thereby carry out group's signature to newly added node, and adopt the mode of multi-hop serial communication to realize associating group signature;

Communicate by letter between between common node bunch, bunch head only plays route, forwarding effect, and authentication is carried out according to certificate by node; And for communication between important bunch, bunch head also participates in authentication, carries out authentication between bunch head mutually; When carrying out authentication between node, just also use zero knowledge authentication system, make that certified side does not need to disclose any cipher key related information to authenticating party;

In the communication, adopt the HORSC agreement to realize the authentication of planar network formula in bunch, this agreement has realized the Hash chain certification mode that efficient is higher, has made full use of the processing resource of bunch head, is upgraded by unified control bunch inter-sync of bunch head and PKI, has solved stationary problem;

Because the Processing tasks of bunch head and node difference, it is common and two kinds of operating states of reinforcement that all nodes that add self-organizing network are set, correspond respectively to ordinary node and leader cluster node identity, realize the layered distribution type certificate scheme and make full use of the network processes resource to cooperate.

Difference on this technical scheme, brought comparatively significantly beneficial effect, authentication between to be the layered distribution type identity verification scheme by improved new Threshold Group signature agreement realize bunch, by authentication in the HORSC protocol family, solved the Verify Your Identity questions of the mobile ad-hoc network of section networking fully;

Wherein, improved new Threshold Group signature agreement to for existing based on GQ Threshold Group signature technology, only need time power exponent to calculate at son signature generation phase, group's signature does not need to calculate power exponent when synthetic and calculates, only need 2 power exponents to calculate during signature verification, and the computing of part power exponent can distributedly in network be carried out or carry out in advance, the hop-by-hop generation phase of letter of identity need calculate time power exponent calculating when the sub-clustering network is united group's signature, significantly reduced amount of calculation, reduced the requirement to the node processing resource, authentication realizes easily between feasible bunch;

Uniting to new node when issuing certificate, adopt the broadcasting between the serial multi-hop communication realization participation group signature bunch head, not only reduced the network service number of times, save Internet resources, and the bout that reduces communication will quicken the agreement implementation, raising network reaction speed;

Adopt zero knowledge authentication mode between bunch during authentication, certified side need not to guarantee the safe coefficient of Verification System to the open relevant information of authenticating party, has realized reusing of letter of identity, has prolonged the service time of certificate, has improved the service efficiency of certificate;

During authentication, bunch head can determine whether to add authentication according to the level of security of communication, in important communication, needs to carry out authentication between bunch head between bunch, the safety of authentication between further guaranteeing bunch;

HORSC agreement insertion when generating word string based on the Hash chain in bunch is counted in the word string at random, not only realize the safe coefficient of same levels, and reduced the output figure place of Hash function, thereby directly reduced half amount of calculation, reduce the requirement of handling resource greatly, improve feasibility;

Make full use of a bunch ground based on authentication in the HORSC protocol family of Hash chain and handled resource, because same step number is controlled in the strictness of bunch head, the peak frequency that assurance is served faster than authentification of user with the growth of step number, and distance is short in bunch, big delay can not occur yet,, not only accelerate processing speed for the authentication based on the Hash chain provides a good environment, and solved a bunch inter-sync problem, improved authentication efficient.

Description of drawings

Fig. 1 is based on Hash chain in the identity verification scheme of Hash chain and initial PKI, key schematic diagram;

Fig. 2 is the mobile self-organizing network cluster dividing networking structure and the layered distribution type certificate scheme schematic diagram of first embodiment of the invention;

Fig. 3 unites group's signature is issued certificate to new node schematic flow sheet according to a plurality of bunches of heads of the 3rd execution mode of the present invention.

Embodiment

For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.

The most basic networking mode of mobile ad-hoc network is the plane formula networking, and the existing defective of this mode makes it can't obtain promoting and development, and the networking of sub-clustering formula is approved widely.Particularly when the scale of mobile ad-hoc network is bigger, network need carry out with different levels management, the authentication mechanism of simple plane network can not satisfy the authentication demand of network, the distributed authentication of layering is a kind of good solution, the present invention is based on this starting point, a kind of layered distribution type authentication solution is proposed, adopt respectively improved new Threshold Group signature agreement realize bunch between authentication, and adopt HORSC agreement to realize a bunch inner plane formula authentication based on the Hash chain.The less more strong GQ signature scheme of constraints is adopted in authentication between bunch, then adopts more efficient in bunch but needs the certificate scheme of the Hash chain of strict control, is responsible for the management that authenticates in this bunch by bunch head.For new user's certificate, then adopt a kind of Threshold Group signature way to issue, unite by the stronger bunch head of computing capability and issue.Thereby not only reduced requirement, and improved authentication speed and efficient, strengthened layered distribution type certificate scheme feasibility the node processing ability.

The first embodiment of the present invention at first provides the basic framework of layered distribution type certificate scheme, mainly comprise initialization, issue the new node certificate, bunch between authentication, bunch in authenticate four processes.Mobile ad-hoc network adopts the section networking structure, and each bunch comprises leader cluster node, and communication is via a bunch head between bunch.Fig. 2 shows the framework of layered distribution type certificate scheme.

When system carries out initialization to all initial nodes, by new Threshold Group signature agreement, issue its certificate for each node, sub-key, wherein system needs at first to determine and the new relevant parameter of thresholding signature agreement, calculate each node certificate then, and secret sends to each node, simultaneously fashionable the associating issue certificate in order to realize that new node adds, need to give each node to send a sub-key, the design of sub-key needs the parameter according to the prior agreement of new Threshold Group agreement, unite a bunch number of issuing certificate group signature such as participating in, calculate sub-key and make the sub-key that surpasses this number can unite the recovery system key;

When new node adds fashionable, by the leader cluster node of defined amount according to its sub-key, by described new Threshold Group signature agreement, unite to this new node and issue certificate, wherein bunch head need be convened an a participation group signature bunch number bunch head that reaches default, mutual according to this agreement and new node then, obtain the certificate of new node by Distributed Calculation with communicating by letter, this certificate can carry out authentication with identical method according to agreement;

Node according to certificate by new Threshold Group signature agreement carry out authentication, realize bunch between communication, having between the node of certificate is practicable authentication, the method for authentication is signed consistent with traditional Threshold Group;

And bunch in, node only need by Hash obtain random subset (HORSC) agreement carry out authentication, realize bunch in communication, this agreement can realize the plane formula authentication efficiently, the efficient of communication in fully improving bunch, communication security in guaranteeing simultaneously bunch.

The second embodiment of the present invention has at first provided based on the theoretical improved new Threshold Group signature agreement of GQ Threshold Group signature and has realized details, this scheme is used for reference the thought of GQ Threshold Group signature, design a kind of novelty (it assesses the cost and is lower than the scheme of Liu for t, n) Threshold Group-signature Scheme.

At first determine following parameter: N, p, q, m, p ', q ', g, d, v, x, y and hash (), wherein, N=pq, p and q are the big prime numbers of safety, and p ' and q ' are big prime number, and p=2p '+1, q=2q '+1, m=p ' q ' are arranged; Use Z _N ^*The least residue system of expression N uses Q _NExpression Z _N ^*In the multiplication subgroup that constitutes of all quadratic residue numbers, $g\&Element;Z_N^{*}$ Be subgroup Q _NGenerator; Picked at random d, v make it all coprime with m, and group cipher is x=g ^dModN, group's PKI is y, and x ^vY ≡ 1modN; Hash () is selected strong one-way hash function mapping function.

When initialization, the polynomial f () on the selected t-1 rank of system, its constant term d=f (0) modm is the root key of whole system, then sub-key s _i=g ^{F (i) mod}Mmod N is distributed to each group members, and t is for participating in the number of members of group's signature; When t member carried out group's signature arbitrarily, to given message M, each participated in group's signature member and selects an integer k i at random, calculates and broadcasting $r_i=k_i^v\mathrm{mod}N,$ Each participates in group's signature member and calculates $R=\underset{i=1}{\overset{t}{\mathrm{\&Pi;}}}{r}_i,$ (M R), obtains son signature separately to reach h=hash $c_i={s_i^{h\&CenterDot;\underset{j=1,j\&NotEqual;i}{\overset{t}{\mathrm{\&Pi;}}}\frac{-j}{i-1}}k}_i\mathrm{mod}N;$ So t above member can recover group cipher x by the Lagrange interpolation algorithm.

When signature is synthetic: obtained t son signature c that participates in group's signature member by group's signer _iAfter, calculate $c=\underset{i=1}{\overset{t}{\mathrm{\&Pi;}}}{c}_i\mathrm{mod}N,$ Generated group signature (c, h) and certificate (M, c, h).

During signature verification: (when h) carrying out authentication, the verifier calculates R '=c for M, c according to described group's signing certificate ^vy ^hModN, and judge whether h=h (M, R ') sets up, if set up then the authentication success, otherwise the authentication failure.

As seen the difference based on the GQ signature scheme of this scheme and existing Liu is, improvement by computation sequence and structure, reduced amount of calculation, only need calculate 2t power exponential function (supposing to have in the network t bunch head to participate in signature) altogether at son signature generation phase, group's signature does not need to calculate power exponential function when synthetic, need calculate power exponential function during signature verification 2 times, and some power exponent computing can be carried out simultaneously in network or carry out in advance, as calculating $r_i=k_i^v\mathrm{mod}N.$

The using method of this improved new Threshold Group-signature Scheme is as follows: treat that signer sends message to each signer request group signature, send it back the son signature behind each signer signature, treat that signer is with the synthetic group's signature that obtains of all son signatures, send this message and group's signature during authentication to the authenticator, the authenticator carries out authentication to it.

The new Threshold Group-signature Scheme that the third embodiment of the present invention is realized based on second embodiment provides authentication implementation between concrete bunch.

At first the step that need do when system initialization is as follows: determine the agreement predetermined parameter, generate each certificate of just knowing node, generate the sub-key of each node.

System serves as believable key distribution person (dealer) and issues separately sub-key for the mobile node of each starting stage, at first the selected parameter N of system, p, q, m, p ', q ', g, d, v, x, y and hash ().

Starting stage, each member P _iLetter of identity issue by trusted party (system).Trusted party is selected member P _iA certain public information as certificate content M _i, as member id (identity) number, the unique information of energy such as user name or E-mail representative of consumer.Select a random number b again _i, and calculate $B_i=b_i^v\mathrm{mod}N,$ h _i＝hash(M _i，B _i)， $S_i\&equiv;b_i\&CenterDot;x^{h_i}\mathrm{mod}N,$ Generate the certificate (M of this node users _i, S _i, B _i), at last with certificate (M _i, S _i, B _i) send to member P in confidence _i

During the distribution of sub-key, what suppose final desired generation is that (t, n) threshold schemes are the multinomial of t-1 so key distribution person selects a number of times at first arbitrarily, f (x)=a _T-1x ^T-1+ ... + a ₁X+d, wherein to represent independent variable, constant term d be the root key of whole system to x.For intrasystem each member P _i, distribute to unique identification number i, and calculate P _iSub-key s _i=g ^{F (i) modmmodN}Key distribution person is with s _iSend P in confidence to _iEach user obtains the sub-key that system issues like this, and sub-key is relevant with group signature afterwards, and system produces sub-key in the starting stage according to the scheme of group's signature, after need to unite and use sub-key when the group signs.

System can carry out authentication after the initialization, but because there is node change problem in mobile ad-hoc network, therefore must handle the certificate authority of newly added node, the key issue that new Threshold Group signature agreement that Here it is is solved.Mobile ad hoc network is the distributed network of a dynamic change, and the new user who networks will rely on that existing member issues user's letter of identity among the mobile network.For new user's certificate, adopt the algorithm of Threshold Group signature, unite by the stronger bunch head of computing capability and issue.

As new node P _{N '}When adding network, at first to get in touch with a close bunch head.If this bunch head is agreed P _{N '}Add, then P _{N '}Just become to be a newcomer of this bunch.If this bunch head is disagreed with P _{N '}Add P _{N '}Must continue to move and other bunch of application adding, up to this bunch bunch CH _{N '}Agree that it adds this bunch.

Work as P _{N '}After becoming the member in bunch, bunch CH that he can be in this bunch _{N '}Certificate is issued in request, and sends an integer g ^aModN, wherein a is a random number.If CH _{N '}Assert P within a certain period of time _{N '}Be that he just accepts P reliably _{N '}Application, and with g ^aModN is transmitted to other bunches head.When a bunch head that surpasses some is accepted P _{N '}Application, just can be to P _{N '}Unite and issue certificate.

Any one bunch CH in network _iWhen request of receiving and agreement participate in authentication, CH _iReturn two numbers With $K_i=k_i^v\mathrm{mod}N,$ r _iAnd k _iBe CH _iThe random number that produces.Work as CH _{N '}Receive after the response that surpasses t-1 bunch head CH _{N '}Select t-1 bunch head to give P jointly arbitrarily _{N '}Issue letter of identity, and CH _{N '}Send two random numbers too to P _{N '}For simplicity, comprise CH _{N '}Interior, define this t bunch head { CH that participates in authentication ₁, CH ₂..., CH _tThe set that constitutes is A.

P _{N '}Preserve the random number that the member returns in the set A, and calculate $R=\underset{i=1}{\overset{t}{\mathrm{\&Pi;}}}{K}_i\mathrm{mod}N.$ P _{N '}(M, { A}, R) sent to CH ₁(being first node among the A), { A} represents the sequence node number in the set A.

CH ₁Calculating h=hash (M, R), ${d^{\&prime;}}_1=g^{a\&CenterDot;r_1}{s}_1^{h\&CenterDot;\underset{j\&Element;A,J\&NotEqual;1}{\mathrm{\&Pi;}}\frac{-j}{1-\mathrm{<figure-callout\; id="1"\; label="j\; k"\; filenames="H061G2694420061212E000011.png,H061G2694420061212E000021.png"\; state="\{\{state\}\}">j</figure-callout>}}}{k}_{}{}_1\mathrm{mod}N,$ S1 is CH ₁The sub-key that has.CH subsequently ₁(d ' ₁, M, { A} R) sends to CH ₂CH ₂Calculate h and ${d^{\&prime;}}_2=g^{a\&CenterDot;r_2}{s}_2^{h\&CenterDot;\underset{j\&Element;A,J\&NotEqual;2}{\mathrm{\&Pi;}}\frac{-j}{2-\mathrm{<figure-callout\; id="2"\; label="j\; k"\; filenames="H061G2694420061212E000011.png"\; state="\{\{state\}\}">j</figure-callout>}}}{k}_{}{}_2\mathrm{mod}N,$ CH then ₂Will (d ' ₁D ' ₂, M, { A} R) sends next node to.The rest may be inferred, last authentication node CH _tCalculate ${d^{\&prime;}}_t=g^{a\&CenterDot;r_t}{s}_t^{h\&CenterDot;\underset{j\&Element;A,J\&NotEqual;t}{\mathrm{\&Pi;}}\frac{-j}{t-j}}{k}_t\mathrm{mod}N,$ And will $S^{\&prime;}=\underset{i=1}{\overset{t}{\mathrm{\&Pi;}}}{d^{\&prime;}}_i\mathrm{mod}N$ Return to P _{N '}

The instantiation procedure of whole authentication as shown in Figure 3.P _{N '}Receive CH _tBehind the S ' that returns, calculate group's signature $S=S^{\&prime;}\&CenterDot;{\left(g^{a\underset{i=1}{\overset{t}{\mathrm{\&Sigma;}}}{r}_t}\right)}^{-1}\mathrm{mod}N,$ Effective signature of Huo Deing is S at last.Therefore, P _{N '}Just obtain uniting the letter of identity issued (M, S, R).

Work as P _{N '}After obtaining new authentication, just can be afterwards bunch between prove identity with certificate in communicating by letter.The certificate using method of communication is with aforementioned the same between bunch.User in the mobile ad hoc network must carry out authentication before conversation, letter of identity can prevent impersonation attack safely and effectively.When letter of identity uses, the verifier receive (M, S, R).(M R), calculates R ' ≡ S then to calculate h=hash earlier ^vy ^hModN.If R '=R, then (S R) is the effective signature of the member of mobile ad hoc network to message M to attestation-signatures.

As can be seen, this Threshold Group signature bunch between authentication made full use of the strong computing capability of bunch head and the characteristic of network service multi-hop.New networking user's letter of identity is a bunch associated working of some, finishes by multi-hop communication.The computing capability of bunch head is stronger, thereby very favourable for finishing rapidly of certificate authority, and has avoided the influence to ordinary node.Consider the characteristics of radio communication, each control of communication information, the transmitting-receiving transfer lag of each communication radio platform and the average transmission number of times of a success communication etc., the bout that reduces communication will quicken the agreement implementation.Therefore this programme has reduced the bout of communication in the mode that new networking user's certificate synthesis phase has adopted hop-by-hop to communicate by letter, and has reduced Internet traffic, has saved the network bandwidth.

Consider that there is the potential safety hazard of open partial information in general authentication method, so present embodiment also adopted zero Knowledge Authentication agreement, promptly certified side need not to the authenticating party public information, and this agreement is stipulated following authenticating step:

Suppose that user A and B will converse in the mobile network.At first A requires B to show letter of identity, and A sends a random number u earlier to B.B returns (M after receiving random number u _B, S _B ^uModN, R _BModN) give A.After A receives the message that B returns, calculate h _B=hash (M _B, R _BModN) and $R^{\&prime;}\&equiv;S^{u\&CenterDot;v}{y}^{u\&CenterDot;h_B}\mathrm{mod}N,$ And whether verify $R^{\&prime;}\&equiv;R_B^u\mathrm{mod}N.$ If equation is set up, then A believes the authenticity of B.Conversely, B also requires A to show letter of identity, and detailed process is with top the same.

This agreement had both been verified identity, had avoided the leakage letter of identity again, was a simple zero knowledge probative agreement, had realized reusing of letter of identity.

Thus, when carrying out communicating by letter between common bunch between different bunches the node, carry out route and forwarding, carry out authentication according to certificate separately by new Threshold Group signature agreement between the node and get final product via separately bunch head.

When carrying out between different bunches the node communicating by letter between important bunch, carry out route and forwarding via separately bunch head, bunch head can provide signature to guarantee the identity of member in this bunch, also needs authentication between bunch head.Suppose that A and B are different bunches members, CH _AAnd CH _BIt is respectively their bunch head.A carries out once important communicating by letter with B now, and the authentication of A and B needs the signature of bunch head separately.During mutual authentication, B at first sends to random number u of A, and A returns (M _A, S _A ^uModN, R _AModN) give B, wherein (M _A, S _A, R _A) be the letter of identity of A.At this moment, CH _ACan calculate $h_1=\mathrm{hash}(M_{{\mathrm{CH}}_A},h_A),$ h _A=hash (M _A, R _A), and when forwarding A sends to the message of B, the signature of affix oneself $(M_{{\mathrm{CH}}_A},S_{{\mathrm{CH}}_A}^{h_1}\mathrm{mod}N,R_{{\mathrm{CH}}_A}),$ Wherein $(M_{{\mathrm{CH}}_A},S_{{\mathrm{CH}}_A}\mathrm{mod}N,R_{{\mathrm{CH}}_A})$ Be CH _ALetter of identity.CH _BReceiving CH _AAfter the message of transmitting, at first confirm CH _ASignature whether effective.If signature effectively, CH _BMessage when forwarding information in one bunch of the affix confirms CH _AThe authenticity to A provides assurance.Like this, B receives the certificate of A, CH _ASignature and CH _BAffirmation, just can confirm the identity of A.

On the certificate scheme, when improved new Threshold Group endorsement method was applied to the distributed authentication of mobile ad-hoc network, in order to guarantee the confidentiality of letter of identity, amount of calculation increased to some extent between above-mentioned whole bunch, but than existing scheme efficient height.The letter of identity stage is issued in request needs to calculate 2t+1 time power exponential function altogether, and the hop-by-hop generation phase of letter of identity need calculate power exponential function 2t+1 time, and letter of identity need calculate power exponential function 2 times when verifying, amount of calculation all has minimizing.

The communication authentication mode is therefore comparatively complicated for the structure that satisfies sub-clustering between bunch, but bunch in the communication environment, there is no need to adopt the authentication mode of complexity like this, can adopt comparatively simple Hash chain plane formula authentication mode.The fourth embodiment of the present invention has been improved the HORSE authentication protocol, proposes new Hash and obtains random subset (Hash to Obtain Random Subsets of Clusters is called for short " HORSC ") agreement, authentication in efficient realize bunch.

At first, the Hash chain needs a dynamic authentication information M, and M comprises each member's unique information, also comprises the information of some variations, sends to the random number of the side of being verified as timestamp, with step number and authentication.

The HORSC system parameters comprises: integer t ' and l are coefficient of safetys; Choose a strong individual event function H (), the number conversion of random length of input can be become k the integer less than t '-1, just klog ₂T '≤| H () |, here | H () | be expressed as the binary system length of Hash function H () output; One group of hash function f ⁱ(), (0≤i≤t '-1); And with step number u.

Then, select the individual l of the t ' long value s in position _{＜0,0 〉}, s _{＜0,1 〉}... s _{＜0, t '-1 〉}, and constitute the Hash chain that the individual length of t ' is d with them.These Hash chains are used as key.Initial key SK ₀With PKI PK ₀Be respectively:

SK ₀＝(s ₀，s ₁，…，s _t′-1)＝(s _<d-1，0>，s _<d-1，1>，…s _{<d-1，t′-1>})、

PK ₀＝(v ₀，v ₁，…，v _t′-1)＝(f(s _<d-1，0>)，f(s _<d-1，1>)，…f(s _{<d-1，t′-1>}))＝(s _<d，0>，s _<d，1>，…s _<d，t′-1>)

S wherein _{I, j}=f ⁱ(s _{＜0, j 〉}).

Suppose that A will prove identity to B, when carrying out this authentication protocol, it is klog that B at first sends a length ₂The random number v of t ' bit gives A.

A with oneself identity information, random number v, form a signature information M with step number u and timestamp, calculate h=H (M), and h be divided into k length l og ₂Word string { the h of t ₁, h ₂..., h _k.Suppose that timestamp is big integer, stab the remainder a to k computing time, and random number v is inserted into word string h _1+aThe back, so just formed 2k length l og ₂Word string { the h of t ' ₁, h ₂..., h _2k.

With h _j(1≤j≤2k) converts 2k integer i to _j(1≤j≤2k), and according to current same step number u, the signature of M is exactly

Suppose that PKI is (v ₀, v ₁..., v _{T '-1}), and calculate since 1 with step number.Signature

Be exactly (s _{＜d-u, 0 〉}, s _{＜d-u, 1 〉}..., s _{＜d-u, t '-1 〉}) a subclass.

When B verifies this signature, calculate word string { h in the same way ₁, h ₂..., h _2k, convert integer i then respectively to _j(1≤j≤2k), and the checking equation $v_{i_1}=f^u\left(s_{i_1}\right),$ $v_{i_2}=f^u\left(s_{i_2}\right),...,$ $v_{i_{2k}}=f^u\left(s_{i_{2k}}\right)$ Whether set up.If these equatioies are set up, then checking is passed through.

As seen this HORSC scheme is compared with existing Hash chain certificate scheme, and the random number that authentication is sent is inserted in the output word string of Hash function, when reaching the same levels safe coefficient, has reduced the output figure place of Hash function.The Hash function is output as klog in this programme ₂T ' position adds the random number k log that authentication sends ₂T ' position can reach Hash function output 2klog in the prior art ₂The effect of t '.Therefore, the output of Hash function can reduce half than the output of Hash function in the prior art in this programme, has also just reduced amount of calculation.

And the implementation of this scheme need make full use of management, the computing capability of bunch head:

In bunch head management bunch all nodes bunch in PKI, and with self bunch in public key broadcasts give bunch in all nodes;

In being undertaken bunch by the HORSC agreement during authentication, in bunch key with use simultaneously with step number;

Bunch head according to bunch in all nodes speed of disclosing its key upgrade same step number, and all nodes in being broadcast to bunch;

When new node added this bunch, this node regenerated its PKI and sends to a bunch head by the HORSC agreement;

But when bunch head is born by new node, collect the PKI of all nodes in this bunch again;

When bunch in during authentication, authenticating party obtains certified side's PKI from this bunch bunch head;

When a bunch interior nodes withdraws from this bunch, bunch head cancel this node PKI and the notice bunch in all nodes;

The PKI of all nodes in bunch head initiates to upgrade bunch according to the change conditions of time of operation and node, this moment its PKI of all node updates and will reset to 1 with step number.

Present embodiment find in actual applications the HORSC agreement bunch in certificate scheme not only solved stationary problem, and algorithm speed is very fast.Because same step number is controlled in the strictness of bunch head, therefore the peak frequency that assurance is served faster than authentification of user with the growth of step number can not occur one and repeatedly use with step number, and the situation that certain is used up with the key of step number.And distance is short in bunch, also big delay can not occur, for the authentication based on the Hash chain provides a good environment.Authentication speed based on the Hash chain is very fast, than the common fast manyfold of authentication public key algorithm.

Under close security performance, to be much higher than RSA-512 based on the authentication speed of HORSC agreement.Table 1 provides in this embodiment applied environment, RSA-512 and based on the performance of the authentication of HORSC relatively.Wherein the parameter of HORSC is: t '=128, k=8, l=64, d=2 ¹⁰, the Hash function adopts MD5.

The performance of table 1:RSA-512 and HORSC relatively

As can be seen, in order to integrate allocation of network resources and other shared processing resources, whether present embodiment will be that bunch head is provided with different operating states according to node also, when as bunch interior nodes with common operating state operation, when as leader cluster node, preferentially obtain network and handle resource control power with respect to the node that is in common operating state with the node of strengthening the operating state operation, be in strengthening operating state.

Suppose in the network the structure that formed bunch according to certain rule, with respect to the rank and file, bunch head still needs stronger computing capability, and needs to consume more energy.Therefore, the mobile node of mobile ad-hoc network can be designed to common and two kinds of operating states of reinforcement.After mobile node is chosen as bunch head, just changes the reinforcement operating state into, thereby transfer more computing capability and energy supply from normal state.After the identity of mobile node was converted into ordinary node from a bunch head, its operating state just changed into common from reinforcement, to reduce the resource that consumes.

In sum, the present invention provides the authentication service solution of a cover for the layered distribution type of medium-and-large-sized mobile ad-hoc network.In the layering certificate scheme based on the mobile ad-hoc network of sub-clustering, for bunch between communication adopt authentication method based on new Threshold Group signature, for bunch in communication then adopt HORSC authentication method based on the Hash chain.And t bunch head can be realized the virtual credible center of network by cooperation in the mobile ad hoc network, issues certificate to new user.

Based on new Threshold Group signature bunch between in the certificate scheme, made full use of the strong computing capability of bunch head and the characteristic of network service multi-hop.For issuing of new network access node certificate, the computing capability of bunch head is stronger, can finish rapidly and calculate and send to next bunch head.Therefore, can complete successfully certificate authority, avoid causing some node just unreachable behind certain hour because of moving of node with fast speeds and bigger probability, also little to the influence of the network operation.

The principle that this identity verification scheme has utilized threshold cryptography to learn, bunch head that reaches number arbitrarily in the network can provide authentication service, has improved the robustness of network, is particularly suitable for the characteristic of the dynamic topology of mobile ad-hoc network.

Mobile ad-hoc network is owing to the dynamic change of network topology and limited bandwidth, and total jumping figure that should as far as possible reduce communication reduces the burden of network service.The present invention utilizes the multi-hop characteristic of mobile ad-hoc network, designs the distributed multihop identity verification scheme of mobile ad-hoc network, has reduced the bout of communication, has reduced the traffic of network.

Also adopt indentification protocol, realized reusing of letter of identity, prolonged the service time of certificate, improved the service efficiency of certificate with zero-knowledge proof characteristics.

In HORSC bunch, in the certificate scheme, solved stationary problem, and signature and verifying speed are fast.Bunch head in each bunch is responsible for the broadcasting of this bunch inter-sync number, and all members sign according to this number and verify.Bunch head can guarantee with the growth of the step number peak frequency faster than the authentification of user service.And bunch in communication distance short, can not occur data forwarding than long delay, can guarantee the service conditions of Hash chain, prevent synchronization attack effectively.Experiment confirm should be based on the authentication of Hash chain greatly faster than other authentication public key algorithm, and practicality is very strong.

Though pass through with reference to some of the preferred embodiment of the invention, the present invention is illustrated and describes, but those of ordinary skill in the art should be understood that and can do various changes to it in the form and details, and without departing from the spirit and scope of the present invention.

Claims (13)

1. the authentication method of a mobile ad-hoc network is characterized in that, comprises following steps:

System carries out initialization to all initial nodes, by new Threshold Group signature agreement, issues certificate, the sub-key of each node self for each node;

When new node adds fashionablely, according to its sub-key, by described new Threshold Group signature agreement, unite to this new node and issue certificate by the stated number destination node;

Node carries out authentication, realizes communication by described new Threshold Group signature agreement according to described certificate;

Wherein, described new Threshold Group signature agreement is the theoretical improved agreement of signing based on the GQ Threshold Group, comprise with the difference of described GQ Threshold Group signature: calculate 2t power exponential function at son signature generation phase, t is the number of members that participates in group's signature in the network, group's signature does not calculate power exponential function when synthetic, calculate 2 power exponential functions during signature verification, and the computing of part power exponent is carried out simultaneously in network or is carried out in advance.

2. according to the authentication method of the described mobile ad-hoc network of claim 1, it is characterized in that,

Described mobile ad-hoc network adopts the section networking structure, and each bunch comprises leader cluster node, communicate by letter between bunch via a bunch head, wherein,

When new node adds fashionablely, according to its sub-key,, unite to this new node and issue certificate by described new Threshold Group signature agreement by the leader cluster node of defined amount;

Node according to described certificate by described new Threshold Group signature agreement carry out authentication, realize bunch between communication.

3. according to the authentication method of claim 1 or 2 described mobile ad-hoc networks, it is characterized in that,

By described new Threshold Group signature agreement, at first determine following parameter: N, p, q, m, p ', q ', g, d, v, x, y and hash (), wherein,

N=pq, p and q are the big prime numbers of safety, and p ' and q ' are big prime number, and p=2p '+1, q=2q '+1, m=p ' q ' are arranged;

Use Z _N ^*The least residue system of expression N uses Q _NExpression Z _N ^*In the multiplication subgroup that constitutes of all quadratic residue numbers,

Be subgroup Q _NGenerator;

Picked at random d, v make it all coprime with m, and group cipher is x=g ^dModN, group's PKI is y, and x ^vY ≡ 1modN;

Hash () is selected strong one-way hash function mapping function;

By described new Threshold Group signature agreement, when initialization, the polynomial f () on the selected t-1 rank of system, its constant term d=f (0) modm is the root key of whole system, then sub-key s _i=g ^{F (i) mod m}ModN is distributed to each group members, 1≤i≤t, and t is for participating in the number of members of group's signature;

By described new Threshold Group signature agreement, when t member carried out group's signature arbitrarily, to given message M, each participated in group's signature member and selects an integer k at random _i, calculate and broadcasting

Each participates in group's signature member and calculates

(M R), obtains son signature separately to reach h=hash

By described new Threshold Group signature agreement, obtained t son signature c that participates in group's signature member by group's signer _iAfter, calculate

Generated group signature (c, h) and certificate (M, c, h);

By described new Threshold Group signature agreement, (when h) carrying out authentication, the verifier calculates R '=c for M, c according to described group's signing certificate ^vy ^hModN, and judge whether h=h (M, R ') sets up, if set up then the authentication success.

4. according to the authentication method of the described mobile ad-hoc network of claim 3, it is characterized in that, described system carries out initialization to all initial nodes, by new Threshold Group signature agreement, gives that each node is issued the certificate of each node self, the step of sub-key comprises following substep:

System is by described new Threshold Group signature agreement parameter preset N, p, q, m, p ', q ', g, d, v, x, y and hash ();

System adopts node users P _iPublic information M _iAs the certificate content, for it selects a random number b _i, and calculate

h _i=hash (M _i, B _i), Generate the certificate (M of this node users _i, S _i, B _i), and send this node in confidence to;

System selectes described polynomial f (), generates the sub-key s of each node by described new Threshold Group signature agreement _iAnd send this node in confidence to.

5. according to the authentication method of the described mobile ad-hoc network of claim 3, it is characterized in that, described when new node add fashionable, by the stated number destination node according to its sub-key, by described new Threshold Group signature agreement, unite the step of issuing certificate to this new node and comprise following substep:

As new node P _{N '}Add mobile ad-hoc network and obtain a bunch CH _{N '}After agreeing to become the member of this bunch, to a bunch CH _{N '}Certificate is issued in request, and sends an integer g ^aModN, wherein a is P _{N '}The random number that produces;

At CH _{N '}After agreeing to issue certificate, with g ^aModN is transmitted to other bunches CH _i, reach and participate in group's signature bunch number, these associatings group signature bunch CH up to agreeing to unite a bunch head of issuing certificate _iAll to new node P _{N '}Return two numbers

With

R wherein _iAnd k _iBe CH _iThe random number that produces;

New node P _{N '}Preserve the random number that described associating group signature bunch head returns, and calculate

And identification informations of R, certificate content M, all described associating group signature bunch heads are sent to first described associating group bunch head of signing;

Each described associating group signature bunch CH _iAfter receiving this message, calculating h=hash (M, R),

Wherein, bunch set that head constituted that participates in authentication is A, s _iBe CH _iDescribed sub-key, additional described d ' _iAfter on this message, pass to the next described associating group bunch CH that signs again _I+1

Described associating group signature bunch CH to the last _t, calculate

And will

Return to this new node PN ';

New node P _{N '}After receiving the S ' that returns, calculate group's signature

Generation unite the certificate issued for (M, S, R).

6. according to the authentication method of the described mobile ad-hoc network of claim 5, it is characterized in that described node comprises following substep according to the step that described certificate carries out authentication by described new Threshold Group signature agreement:

When carrying out communicating by letter between common bunch between different bunches the node, carry out route and forwarding via separately bunch head, carry out authentication according to certificate separately by described new Threshold Group signature agreement between the described node;

When carrying out communicating by letter between non-common bunch between different bunches the node, carry out route and forwarding via separately bunch head, carry out authentication according to certificate separately by described new Threshold Group signature agreement between the described node, and carry out authentication according to certificate separately by described new Threshold Group signature agreement between described bunch of head.

7. according to the authentication method of the described mobile ad-hoc network of claim 6, it is characterized in that, when carrying out described authentication, adopt zero Knowledge Authentication agreement:

Authenticating party at first sends random number u to certified side;

(M, S R) make amendment and generate authentication message (M, S described certified root to its certificate according to the random number u that receives ^uModN RmodN), and issues described authenticating party;

Described authenticating party calculates h _B=hash (M, RmodN) and

And judge

Whether set up, wherein R _BFor certified side's certificate (M, S, the R) R in, if set up, then authentication success, otherwise authentication failure.

8. according to the authentication method of the described mobile ad-hoc network of claim 7, it is characterized in that, also comprise following steps:

Node by Hash obtain the random subset agreement carry out authentication, realize bunch in communication.

9. the authentication method of described mobile ad-hoc network according to Claim 8 is characterized in that,

Obtain the random subset agreement by described Hash, following parameter need be set:

Key number t ', key bit length l, the same step number u that dynamically updates, described key number t ' and key bit length l are integer;

Strong one-way function H (), the number conversion that is used for random length that will input becomes k the integer less than t '-1;

One group of hash function f ⁱ(), (0≤i≤t '-1), back a group of being used for generating on the hash chain according to last group on the hash chain;

Value S by the individual l of t ' position _{＜0,0 〉}, S _{＜0,1 〉}... S _{＜0, t '-1 〉}Set out, constituting the individual length of t ' is the hash chain of d, use with as bunch interior nodes bunch in PKI and bunch in key;

Obtain random subset HORSC agreement by described Hash, it is as follows that certified side will carry out the step of authentication to authenticating party:

It is k log that this authenticating party at first sends a length ₂The random number v of t ' gives this certified side;

This certified side is with its identity information, random number v, form dynamic signature message M with step number u and timestamp;

This certified side calculates H (M) and obtains k word string, and computing time stamp to the remainder a of k, random number v is inserted into after the a+1 word string, obtain 2k word string { h altogether ₁, h ₂..., h _2k, convert thereof into 2k integer i _j(1≤j≤2k), and according to counting u when preamble, the signature that obtains M from hash chain is

When this authenticating party is received this signature, use the method consistent to calculate { h with certified side ₁, h ₂..., h _2kAnd i _j(1≤j≤2k), and according to current PKI (v ₀, v ₁..., v _T-1) checking

Whether set up, if set up, then authentication success, otherwise authentication failure.

10. according to the authentication method of the described mobile ad-hoc network of claim 9, it is characterized in that,

In bunch head management bunch all nodes bunch in PKI, and with self bunch in public key broadcasts give bunch in all nodes;

When new node added this bunch, this node obtained random subset HORSC agreement by described Hash and regenerates in its bunch PKI and send to a bunch head;

When bunch head is born by new node, collect again all nodes in this bunch bunch in PKI;

When bunch in during authentication, authenticating party from this bunch bunch head obtain certified side bunch in PKI;

When a bunch interior nodes withdraws from this bunch, bunch head cancel this node bunch in PKI and the notice bunch in all nodes;

By described Hash obtain random subset HORSC agreement carry out bunch in during authentication, in bunch key with use simultaneously with step number;

Bunch head according to bunch in all nodes disclose in its bunch the speed of key and upgrade same step number, and all nodes in being broadcast to bunch;

In bunch head initiates to upgrade bunch according to the change conditions of time of operation and node all nodes bunch in PKI, PKI and will resetting in this moment all its bunches of node updates with step number.

11. the authentication method of mobile ad-hoc network according to claim 2, it is characterized in that, all nodes of described mobile ad-hoc network when as bunch interior nodes with common operating state operation, when as leader cluster node, preferentially obtain network and handle resource control power with respect to the node that is in common operating state with the node of strengthening the operating state operation, be in strengthening operating state.

12. the Verification System of a mobile ad-hoc network is characterized in that, comprises:

All initial nodes are carried out initialization,, issue the certificate of each node self, the unit of sub-key for each node by new Threshold Group signature agreement;

The stated number destination node is used for adding at new node fashionable, according to sub-key, by described new Threshold Group signature agreement, unites to this new node and issues certificate; This new node carries out authentication, realizes communication by described new Threshold Group signature agreement according to the certificate of issuing;

Wherein, described new Threshold Group signature agreement is the theoretical improved agreement of signing based on the GQ Threshold Group, comprise with the difference of described GQ Threshold Group signature: calculate 2t power exponential function at son signature generation phase, t is the number of members that participates in group's signature in the network, group's signature does not calculate power exponential function when synthetic, calculate 2 power exponential functions during signature verification, and the computing of part power exponent is carried out simultaneously in network or is carried out in advance.

13. the Verification System of a mobile ad-hoc network according to claim 12 is characterized in that, described mobile ad-hoc network adopts the section networking structure, and each bunch comprises leader cluster node, communicate by letter between bunch via a bunch head,

Uniting the described stated number destination node of issuing certificate to described new node all is leader cluster node.

Images